Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User Accessed Suspicious URL Categories

Back
Idfb0f4a93-d8ad-4b54-9931-85bdb7550f90
RulenameUser Accessed Suspicious URL Categories
DescriptionCreates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.
SeverityMedium
TacticsInitialAccess
CommandAndControl
TechniquesT1566
T1071
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
Version1.0.5
Arm templatefb0f4a93-d8ad-4b54-9931-85bdb7550f90.json
Deploy To Azure
SymantecProxySG
| mv-expand cs_categories
| where cs_categories has_any ("Suspicious","phishing", "hacking")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
query: |
  SymantecProxySG
  | mv-expand cs_categories
  | where cs_categories has_any ("Suspicious","phishing", "hacking")
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)  
description: |
    'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryPeriod: 1h
kind: Scheduled
relevantTechniques:
- T1566
- T1071
status: Available
version: 1.0.5
triggerThreshold: 0
tactics:
- InitialAccess
- CommandAndControl
triggerOperator: gt
severity: Medium
name: User Accessed Suspicious URL Categories
entityMappings:
- fieldMappings:
  - columnName: cs_userdn
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: c_ip
    identifier: Address
  entityType: IP
id: fb0f4a93-d8ad-4b54-9931-85bdb7550f90
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb0f4a93-d8ad-4b54-9931-85bdb7550f90')]",
      "properties": {
        "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90",
        "customDetails": null,
        "description": "'Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.'\n",
        "displayName": "User Accessed Suspicious URL Categories",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "cs_userdn",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "c_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml",
        "query": "SymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1071",
          "T1566"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}